Iran attacked with data-wiping malware, report says

The Iranian team that handles cybersecurity threats reported that the country's computer systems were the target of malware capable of wiping disk partitions clean of data.

The MAHER Center of Iranian National Computer Emergency Response Team reported the attack on Sunday, but did not list the targets. The organization did describe the attack as "targeted," meaning it was aimed at systems of specific organizations.

Iran has been the target of cyber-sabotage malware before. In 2010, the Stuxnet worm attacked the country's nuclear facilities, damaging centrifuges used to enrich uranium. The New York Times reported in June that the attack was a joint effort of the U.S. and Israel.

The latest attack is far less sophisticated than Stuxnet. The malware was used in an "extremely simplistic" assault in which the attacker wrote a batch program and then used a BAT2EXE tool to turn it into a file that could run on a Windows Preinstallation Environment (PE), Roel Schouwenberg, a security expert with Kaspersky Lab, wrote on Monday on the company's SecureList blog.

Batch programs, also called BAT files, are used to run repetitive tasks, such as backups. Windows PE is a lightweight version of the operating system that is used to deploy Windows on workstations and servers and to troubleshoot the OS when it is offline.

[See also:Ã'Â How to plan an industrial cyber-sabotage operation -- A look at Stuxnet]

The destructive payload within the BAT file will try to delete all files in drives D through I, Schouwenberg said. It will also try to do the same on the infected desktop.

"Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the Iranian CERT said.

The malware seemed designed to go after older systems, implying that the targets were computers used to do mundane activities like operating as a server or controller, said Murray Jennex, an associate professor at San Diego State University and an expert in international information systems.

The attack also could have been aimed at PCs used by an engineer in the field or systems in educational facilities, Jennex said. But he said he didn't believe the malware was sophisticated enough to affect Iran's main research support systems.

"However, I wouldn't be quick to say Iran is being attacked as the report says nothing about tracing the attack and it would not surprise me if this is an internal attack, either by dissidents or to take some of the [cyberespionage] heat off of Iran," Jennex told CSO Online.

In its code analysis, Kaspersky said the malware, dubbed Trojan.Win32.Maya.a, tries to cover its tracks by running check disk, a command on Windows used to fix file system errors or check on the status of hard disks.

"I assume the attacker is trying to make the loss of all files look like a software or hardware failure," Schouwenberg said.

Windows PCs running 64-bit versions of the OS will receive a warning if the malware tries to run. That's because the payload includes a 16-bit executable called SLEEP.exe, Schouwenberg said. Because 16-bit files won't run on 64-bit versions of Windows, trying to do so launches a warning notifying the user that a program won't start or run.

There's nothing in the code linking the malware to other targeted cyberattacks on Iran. Besides Stuxnet, security experts discovered this year the Stuxnet cousin Flame that tried to steal data primarily from computer systems in Iran and Palestine.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags: Data Protection | Malware, applications, security, legal, software, data protection, kaspersky lab, cybercrime, malware, iran

Lower costs help NZ pip Australia for F5 Networks support centre

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.